Distributed dynamic architecture for error correction

ABSTRACT

Various systems and methods may be used to implement a software defined industrial system. For example, an orchestrated system of distributed nodes may run an application, including modules implemented on the distributed nodes. The orchestrated system may include an orchestration server, a first node executing a first module, and a second node executing a second module. In response to the second node failing, the second module may be redeployed to a replacement node (e.g., the first node or a different node). The replacement mode may be determined by the first node or another node, for example based on connections to or from the second node.

PRIORITY CLAIM

This application is a continuation of U.S. application Ser. No. 17/120,512, filed Dec. 14, 2020, now issued as U.S. Pat. No. 11,265,402, which is a continuation of U.S. application Ser. No. 16/147,168, filed Sep. 28, 2018, now issued as U.S. Pat. No. 10,868,895, which claims the benefit of priority to U.S. Provisional Patent Application Ser. No. 62/587,227, filed Nov. 16, 2017 and titled “DISTRIBUTED SOFTWARE DEFINED INDUSTRIAL SYSTEMS”, and 62/612,092, filed Dec. 29, 2017, and titled “DISTRIBUTED SOFTWARE DEFINED INDUSTRIAL SYSTEMS”; the above-identified applications are incorporated herein by reference in their entirety.

TECHNICAL FIELD

Embodiments described herein generally relate to data processing and communications within distributed and interconnected device networks, and in particular, to techniques for defining operations of a software-defined industrial system (SDIS) provided from configurable Internet-of-Things devices and device networks.

BACKGROUND

Industrial systems are designed to capture real-world instrumentation (e.g., sensor) data and actuate responses in real time, while operating reliably and safely. The physical environment for use of such industrial systems may be harsh, and encounter wide variations in temperature, vibration, and moisture. Small changes to system design may be difficult to implement, as many statically configured I/O and subsystems lack the flexibility to be updated within an industrial system without a full unit shutdown. Over time, the incremental changes required to properly operate an industrial system may become overly complex and result in significant management complexity. Additionally, many industrial control systems encounter costly operational and capital expenses, and many control systems are not architecturally structured to take advantage of the latest information technology advancements.

The development of Internet of Things (IoT) technology along with software-defined technologies (such as virtualization) has led to technical advances in many forms of telecom, enterprise and cloud systems. Technical advances in real-time virtualization, high availability, security, software-defined systems, and networking have provided improvements in such systems. However, IoT devices may be physically heterogeneous and their software may also be heterogeneous (or may grow increasingly heterogeneous over time), making such devices complex to manage.

Limited approaches have been investigated to utilize IoT devices and IoT frameworks even despite the technical advances that have occurred in industrial automation and systems. Further, industry has been hesitant to adopt new technologies in industrial systems and automation, because of the high cost and unproven reliability of new technology. This reluctance means that typically, only incremental changes are attempted; and even then, there are numerous examples of new technology that underperformed or took long periods of time to bring online. As a result, wide-scale deployment of IoT technology and software-defined technologies has not been successfully adapted to industrial settings.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, which are not necessarily drawn to scale, like numerals may describe similar components in different views. Like numerals having different letter suffixes may represent different instances of similar components. Some embodiments are illustrated by way of example, and not limitation, in the figures of the accompanying drawings in which:

FIG. 1A illustrates a configuration of an SDIS operational architecture, according to a first example;

FIG. 1B illustrates a configuration of an SDIS operational architecture, according to a second example;

FIG. 2A illustrates a configuration of a real-time advanced computing subsystem deployable within the SDIS operational architecture of FIG. 1A, according to an example;

FIG. 2B illustrates a configuration of an edge control node subsystem deployable within the SDIS operational architecture of FIG. 1A, according to an example;

FIG. 3A illustrates a configuration of a real-time advanced computing subsystem deployable within the SDIS operational architecture of FIG. 1B, according to an example;

FIGS. 3B and 3C illustrates a configuration of cloud computing and edge computing subsystems deployable within the SDIS operational architecture of FIG. 1B, according to an example;

FIG. 4 illustrates a configuration of a control messages bus used within an SDIS operational architecture, according to an example;

FIG. 5A illustrates a first network configuration for deployment of SDIS subsystems, according to an example;

FIG. 5B illustrates a second network configuration for deployment of SDIS subsystems, according to an example;

FIG. 6 illustrates a dynamically established set of orchestration operations in a SDIS operational architecture, according to an example;

FIG. 7 illustrates an example application connection diagram;

FIG. 8 illustrates an example architectural view of an application with a standby node;

FIG. 9 illustrates a flowchart of a method for creating an automatic redundant module of an application on a redundant node based on communication patterns of the application according to an example;

FIG. 10 illustrates a flowchart of a method for activating a CPU according to an example;

FIG. 11 illustrates a domain topology for respective internet-of-things (IoT) networks coupled through links to respective gateways, according to an example;

FIG. 12 illustrates a cloud computing network in communication with a mesh network of IoT devices operating as a fog device at the edge of the cloud computing network, according to an example;

FIG. 13 illustrates a block diagram of a network illustrating communications among a number of IoT devices, according to an example; and

FIG. 14 illustrates a block diagram for an example IoT processing system architecture upon which any one or more of the techniques (e.g., operations, processes, methods, and methodologies) discussed herein may be performed.

DETAILED DESCRIPTION

In the following description, methods, configurations, and related apparatuses are disclosed for the configuration, operation, and adaptation of software-defined industrial service (SDIS) deployments. In particular, the following SDIS deployments include features of modern operational architecture-based industrial systems, along with derivative architectures or solution instances of such deployments. For instance, such architectures and instances may include virtualized control server systems, which implement features of an edge control device and a control messages bus within a control or monitoring system. Such architecture and instances may be further integrated with aspects of IoT networks, involving various forms of IoT devices and operations.

The processing techniques and configurations discussed herein include a variety of approaches for managing operations, data, and processing within various types of SDIS architectures. An overview of the following approaches are provided in the following paragraphs; further reference to specific implementation examples and use cases is discussed below.

In an example, redundancy may be a useful but challenging aspect of deploying an orchestrated system. A peer-to-peer node network may be used to coordinate backup, redeploy, or reconnection of modules to create redundancy without extensive costs, which may include avoiding top-down control. The techniques described herein may reduce slow or costly responses, such as those that require a connection between the distributed nodes and an orchestrator.

Other examples will be apparent from the following drawings and text disclosure.

Overview of Industrial Automation Systems

Designing and implementing effective industrial automation systems presents many technical challenges. Because the lifecycle of an industrial plant in many cases far exceeds the lifecycle of the technology that runs the plant, the administration and maintenance costs of technology are often very difficult to manage. In an example, a SDIS deployment may be adapted for dynamic configuration (and re-configuration) of software and hardware resources in industrial systems through resource abstraction with the following approaches. Such resource abstraction provides flexibility for updating the configuration without removing the industrial system out of service; such resource abstraction also provides flexibility for updating the industrial system with improved capabilities over time.

Use of open architectures and abstracted links between software and hardware in the presently disclosed SDIS approaches provides these and other technical benefits, while allowing vendors to focus on the capabilities and implementation of a specific vendor application. The disclosed open architectures also promote innovation, reduce the cost of hardware replacement, and eliminate the risk of hardware obsolescence. The disclosed open architectures enable security to be implemented as an intrinsic part of the SDIS, such as through the use of a hardware root of trust, signed applications, and comprehensive security management. Such configurations enable a simplified control system with inherent security and the capability to easily integrate capabilities over time. These technical improvements, combined with features of open architecture and standards implementations, enable the rapid integration of industrial control within an SDIS.

Some existing approaches such as the Open Group's Open Process Automation Forum have begun development of a standards-based, open, interoperable process control architecture features for industrial automation, targeting industries such as Food and Beverage, Mining and Metals, Oil and Gas, Petrochemical, Pharmaceutical, Pulp and Paper, and Utilities. The present configuration and functionality of a SDIS and the accompanying subsystems and techniques may be integrated with use of this standard or similar approaches within industrial automation and system deployment efforts. Further, the present configuration and functionality of a SDIS and the accompanying subsystems may be utilized in these or other industries. Accordingly, variations and changes to the following implementations will be evident.

FIG. 1A depicts a first example configuration of an SDIS operational architecture. As shown, a control messages bus 112 is used to connect various components of the architecture, with such components including Operational Tools 120, a Control Server (CS) node 130A, Edge Control Node (ECN) systems 150, Intelligent I/O Controller systems 165, Basic I/O Controller systems 160, Gateway systems 170, and Control Stations 115. Various field devices (151, 161, 166, 171) are connected to the respective systems (150, 160, 165, 170). Some of the example use cases and configurations of this operational architecture are further discussed below.

In an example, the Operational Tools 120 may include aspects of: procedure development tools, historian tools, human-machine interface (HMI) development, controls, and operations tools. Various aspects of the Operational Tools 120 may be implemented with respective virtual machines 131A operating in the control server node 130A (as further depicted in FIG. 2A).

In an example, the control server node 130A may include aspects of various virtual machines 131A, coordinated via a hypervisor layer 132A, and operating with features of a host operating system 133A and a computer hardware architecture 134A. The control server node 130A may be used to implement various aspects of orchestration 135A, involving both machine orchestration and operational application orchestration. A further detailed discussion of the control server node 130A is provided below with reference to FIG. 2A below.

In an example, the ECN systems 150 may include various aspects of orchestration (e.g., orchestration implementation) from an ECN I/O controller (e.g., nodes 150A, 150B) operating on specific hardware (e.g., an x86 or ARM hardware implementation). A further detailed example of the ECN systems 150 and its role in orchestration for various connected devices (e.g., field devices 151A, 151B) is provided below with reference to FIG. 2B.

In an example, the Intelligent I/O systems 165 may include various configurable aspects of industrial control from an Intelligent I/O controller (e.g., controller 165A, 165B) and an accompanying operating system, used for control or access of various devices (e.g., field devices 166A, 166B). Also in an example, the Basic I/O systems 160 may include various operating aspects of industrial control from a Basic I/O controller (e.g., controller 160A, 160B) and an accompanying operating system, used for control or access of various devices (e.g., field devices 161A, 161B).

In an example, the Gateway systems 170 may include various configurable aspects for connection to other device networks or deployments, from a gateway (e.g., gateways 170A, 170B), used for control or access of various devices (e.g., field devices 171A, 171B). Within the various devices, roles of a sensor (“S”) and actuator (“A”) components are labeled throughout the field devices (e.g., on field devices 151A, 151B, 161A, 161B, 166A, 166B, 171A, 171B). It will be understood that additional number and types of devices and components may also be coupled to the various systems 150, 160, 165, 170.

The operational architecture depicted in FIG. 1A is configured to enable many of the same attributes seen in traditional enterprise architectures, such as HW/SW modularity, SW portability, interoperability, application extensibility and computational scalability. Beyond this, the new infrastructure framework components introduced in this architecture, most notably in the implementation of CS and ECN systems, may be deployed to support both centralized and decentralized concepts for the SDIS techniques discussed herein.

For example, the use of an ECN I/O Controller (e.g., in ECN nodes 150A, 150B) is a significant architecture departure from current DCS (Distributed Control System) and PLC (programmable logic controller) control systems, which have evolved for over the last fifty years. Any architectural advancement in this mission-critical portion of the ANSI/ISA-95 automation interface stack must adhere to the strict and resilient requirements of process control. With the SDIS architecture described herein, the ECN system may not only maintain these strict operational requirements, but also may remain open, interoperable, while allowing industry uses to safely, reliably, securely and rapidly introduce or refresh these systems with ongoing technological advancements. The present SDIS architecture enables wider ecosystem participation, innovation and production customization throughout the operational and control stack. For instance, the ECN system may be provided with control disaggregation to serve as a basic control system building block, to amplify control function customization and enable increased process flexibility for a variety of use cases.

FIG. 1B depicts a second example configuration of an SDIS operational architecture. In a similar fashion as shown as FIG. 1A, the configuration of FIG. 1B illustrates a control messages bus 112 that is used to connect various components of the operational architecture, with such components including cloud components (a real time advanced computing system 130B, operating as a control server, and cloud computing services 180) edge components (an edge ecosystem 190 with constituent edge computing nodes 191A, 191B, 191C, a first edge computing platform 193, and a second edge computing platform 195), and Control Stations 115. Various field devices (192, 194) with sensors and actuators are connected to the respective edge computing nodes (in the edge ecosystem 190 and edge computing platforms 193, 195). The operational goals and features discussed above are also applicable to the configuration of FIG. 1B.

As a further extension of the SDIS operational architecture introduced in FIG. 1A, the configuration of FIG. 1B illustrates a scenario where the operations of the controllers and servers across the various cloud and edge components are virtualized through respective virtual machines, deployed with respective containers, deployed with respective applications, or any combination thereof. As a result, the SDIS operational architecture of FIG. 1B allows a reconfigurable and flexible deployment to a variety of hardware settings (including both ARM and x86 hardware architectures). A further breakout of the real time advanced computing system 130B is depicted in FIG. 3A, and further breakout of the cloud computing services node 180 and the edge computing node 193 is discussed in FIGS. 3B and 3C respectively.

Another aspect of the SDIS architecture may involve the use of real-time communications. The control messages bus 112, hosted on a service bus fabric 110, may be utilized to enable internetworking convergence on multiple levels. For instance, the control messages bus 112 may enable use of Ethernet transports with time-sensitivity, such as through Ethernet-based time-sensitive networking (TSN) open standards (e.g., the IEEE 802.1 TSN Task Group). Further, use of the control messages bus 112 may allow greater performance and scale at the cloud server rack level and across large networked or chassis of edge nodes.

In the SDIS architecture, real-time services may operate on top of a real-time physical transport via the control messages bus 112, such as via Ethernet TSN. The control messages bus 112 may be adapted to address the heterogeneity of existing middleware or communication stacks in an IoT setting (e.g., with use of Open Platform Communications Unified Architecture (OPC-UA), Object Management Group Data Distribution Service (DDS), OpenDXL, Open Connectivity Foundation (OCF), or the like standards), to enable seamless device-to-device connectivity to address the emerging implementations of IoT deployments.

In an example, the orchestration management for a SDIS architecture may be implemented by a Control Server (CS) design. FIG. 2A illustrates a configuration of a control server subsystem (e.g., implementing the CS node 130A) within an SDIS operational architecture (e.g., the operational architecture discussed above with reference to FIG. 1A). Specifically, FIG. 2A provides a further illustration of the CS node 130A and its component virtual machines 131A, hypervisor 132A, host operating system 133A, and hardware architecture 134A; as depicted, the CS node 130A is shown as a single node but may include two or more nodes with many virtual machines distributed across these nodes.

In an example, the CS node 130A may include orchestration 135A that is facilitated from machine and operation application orchestration. The machine orchestration may be defined with use of a machine library 136, such as a database for implementing platform management; the operation application orchestration may be defined with use of a control function library 142 and operational application library 144. For instance, control standards design 141 and integrated (and secure) application development processes 143 may be used to define the libraries 142, 144.

In an example, the CS node 130A is designed to host ISA level L1-L3 applications in a virtualized environment. This may be accomplished by running virtual machines (VMs) 131A on top of a hypervisor 132A with each VM encapsulating Future Airborne Capability Environment (FACE)-compliant stacks and applications, or non-FACE applications such as a human-machine interfaces (HMIs), Historians, Operations Tools, etc. In an example, FACE-compliant VMs may provide an entire FACE stack (operating system, FACE segments, and one or more portable components) that is encapsulated in a VM. The encapsulation means that each VM may have its own virtual resources (compute, storage, memory, virtual networks, QoS, security policies, etc.) isolated from the host and other VMs by the hypervisor 132A, even as each VM may be running different operating systems such as Linux, VxWorks, or Windows.

To maximize the benefit of virtualization and robustness, related groups of portable components may be grouped in a FACE-compliant VM and with the use of multiple FACE-compliant VMs. Using this approach spreads the workload across the CS hardware and isolates resources specific to that group of components (such as networks), while still allowing the applications to communicate with other virtualized and physical devices such as ECNs through the network. Distributing the FACE portable components across VMs increases security by isolating unrelated components from each other, provides robustness to failures, allows independent update of functions, and eases integration to allow individual vendors to provide fully functioning VMs into the system.

In a further example, Layer 2 components may be separated from Layer 3 components within separate VMs (or groups of VMs) to provide isolation between the layers and allow different network connectivity, security controls, and monitoring to be implemented between the layers. Grouping portable components may also provide benefits to integration, to allow multiple vendor solutions to be easily combined running multiple virtual machines and configuring the network between them. Also in a further example, additional operating systems such as Windows, Linux, and other Intel architecture-compatible operating systems (e.g. VxWorks real-time operating system) may each be deployed as virtual machines. Other configurations of the presently disclosed VMs within a CS node 130A may also enable other technical benefits.

In an example, a cloud infrastructure platform may be utilized in the CS node 130A, such as a real-time advanced computing system adapted with use of open source standards and implementations such as Linux, KVM, OpenStack, and Ceph. For instance, the cloud infrastructure platform may be adapted to address critical infrastructure requirements such as high availability of the platform and workloads, continuous 24/7 operation, determinism/latency, high performance, real-time virtualization, scalability, upgradeability, and security. The cloud infrastructure platform also may be adapted to meet software-defined industrial automation-specific critical infrastructure requirements.

FIG. 2B illustrates an example configuration of a distributed edge control node (ECN) subsystem within an SDIS operational architecture (e.g., the operational architecture discussed above with reference to FIG. 1A). In an example, the ECN nodes 150A, 150B reside in the ISA-95 Level 1/Level 2 and are positioned as a fundamental, basic HW/SW building block.

In an example, the ECN nodes 150A, 150B support a single input or output to a single field-bus device via a sensor or actuator or smart device (e.g., located externally to an ECN cabinet). The ECN device architecture may be extended through an ECN cabinet or rack system that extends the openness and flexibility of the distributed control system addressing wiring, upgrade, and fault-tolerance limitations with existing proprietary DCS systems. In an example, the ECN architecture operates in a standard POSIX OS with a FACE-compliant stack implemented as segments or groups software modules. Various approaches for deployment of these software modules are referenced in the examples below.

The ECN nodes 150A, 150B may support a variety of software-defined machines for aspects of orchestration and services (such as the orchestrations depicted below for FIG. 6 ). In an example, the ECN nodes 150A, 150B may integrate with various hardware security features and trusted execution environment, such as Intel® Software Guard eXtensions (SGX), Dynamic Application Loader (DAL), secure VMM environments, and trusted computing-standard Trusted Platform Module (TPM). In a further example, secure boot may be enabled with fused and protected key material accessed within protected hardware cryptographic engines, such as Intel® Converged Security and Manageability Engine (CSME) and Platform Trust Technology (PTT). Additionally, cryptographic functions may be made more secure with special hardware instructions for AES encryption and SHA computations. Other forms of security such as an Intel® Enhanced Privacy ID (EPID) may be being adopted across the industry as a preferred device identity key, which may be enabled through automated device registration (e.g., Intel Secure Device Onboarding (SDO)) technology for secure, zero-touch onboarding of devices. In further examples, the ECN nodes 150A, 150B and other subsystems of the SDIS architecture may be interoperable with these or other security approaches.

FIG. 3A illustrates a more detailed configuration of the real-time advanced computing system 130B deployable within the SDIS operational architecture of FIG. 1B. Specifically, the configuration of FIG. 3A illustrates the operation of respective virtual machines 131B which may include different deployment types of virtual machines, containers, and applications, operating on a hypervisor layer 132B. The hypervisor layer 132B may be controlled with use of a host operating system 133B, as the VMs, hypervisor, and operating system execute on the hardware architecture 134B (e.g., a commercial off-the-shelf (COTS) x86 architecture). The aspects of real time orchestration 135B may be integrated into all levels of the computing system operation. Thus, a x86 computing system may be adapted to coordinate any of the cloud- or server-based SDIS functions or operations discussed herein. Other aspects of functionality or hardware configuration discussed for the CS node 130A may also be applicable to the computing system 130B.

FIGS. 3B and 3C illustrates a more detailed configuration of cloud computing 180 and edge computing 193 subsystems, respectively, deployable within the SDIS operational architecture of FIG. 1B. In a similar fashion as depicted in FIG. 3A, a series of virtual machines 181, 196, hypervisor layers 182, 197, host operating systems 183, 198, and COTS x86 hardware architectures 184, 199 depicted in FIGS. 3B and 3B may be adapted to implement the respective systems 180, 193. Applications and containers may be used to coordinate the cloud- and edge-based functionality, under the control of real-time orchestration. Other aspects of functionality or hardware configuration discussed for the ECN nodes 150 may also be applicable to the edge computing node 193. The edge computing node 193 may implement control functions to control a field device.

Systems and techniques described herein may integrate “Mobile-edge Computing” or “Multi-Access Edge Computing” (MEC) concepts, which accesses one or multiple types of Radio Access Networks (RANs) to allow increases in speed for content, services, and applications. MEC allows base stations to act as intelligent service hubs, capable of delivering highly personalized services in edge networks. MEC provides proximity, speed, and flexible solutions to a variety of mobile devices, including devices used in next-generation SDIS operational environments. As an example, a MEC approach is described in “Mobile-Edge Computing, A key technology towards 5G,” a paper published by the European Telecommunications Standards Institute (ETSI) as ETSI White Paper No. 11, by Yun Chao Hu, et al., ISBN No. 979-10-92620-08-5, available at http://www.etsi.org/news-events/news/1009-2015-09-news-new-white-paper-etsi-s-mobile-edge-computing-initiative-explained, which is incorporated herein in its entirety. It will be understood that other aspects of 5G/next generation wireless networks, software-defined networks, and network function virtualization, may be used with the present SIDS operational architecture.

FIG. 4 illustrates an example configuration of a real-time service bus (e.g., a configuration of the control messages bus 112) used within an SDIS operational architecture. This configuration allows support for various processing control nodes, as discussed herein. For instance, the control messages bus 112 may be used to connect respective control processing nodes 410 (including various hardware and software implementations on nodes 410A, 410B, 410C) and cloud-based services or control server(s) 130A with various edge devices 420 (e.g., I/O controllers 150, 160, 165, or edge computing nodes 191, 193, 195).

In an example, the control messages bus 112 may be implemented to support packet level, deterministic, control networks, with rate monotonic control requirements. These features have conventionally been provided by proprietary Distributed Control System (DCS), Supervisory Control And Data Acquisition (SCADA) or Programmable Logic Controller (PLC) components. Most of these systems were engineered to design parameters that limited the number of nodes and data elements with little ability to dynamically manage the quantity and quality of the data for what is commonly a closed and isolated network within the facility. Over the lifecycle of these systems, the desire to implement emerging new use cases has been severely limited by the underlying inflexibility and limited scalability of expensive control system infrastructure.

With prior approaches, both open source and open standards-based service bus middleware options have matured to the point that the critical mission ecosystem of solution providers have embraced these technologies as “best-in-breed” capabilities to build scalable, highly redundant, fault tolerant, real-time systems at a fraction of the historical cost. This has sparked a realization of new use cases that may be achieved for both discrete and continuous processing where commodity level hardware and open source, standards based software have converged to enable real-time compute methods, while maintaining service oriented architecture based design principles.

In an example, control messages bus technologies may be extended further by enabling real-time compute at the hardware level by enabling Time Sensitive Networking (TSN) and Time Coordinated Compute (TCC) both between and within platform nodes of a network. Both proprietary and open standard-based solutions may be integrated with commodity hardware enabled enhancements, including utilizing industry standards offered by the OPC-UA (OPC Unified Architecture) and DDS (Data Distribution Service) groups, and proprietary implementations like the SERCOS standards where hard real-time requirements for discrete motion control are mandatory in robotic and machine control applications.

In an example, the control messages bus and the overall SDIS architecture may also be integrated with the Industrial Internet Consortium (IIC) features. These may include various formulating and testing standards for the industrial use of TSN, which may enhance the performance and QoS of both DDS and OPC-UA based solutions by dramatically reducing both packet level latency and jitter. Further, aspects of Object Management Group (OMG) and the OPC Foundation standards may be positioned to support increased integration of OPC-UA and DDS implementation models that leverage the information modeling of OPC-UA, and the QoS and performance capabilities of DDS in architectural design. New use cases may include analytics and autonomous capabilities.

FIG. 5A illustrates a first network configuration 500 for an example deployment of SDIS subsystems. The first network configuration 500 illustrates a scaled-down, small-footprint deployment option that combines controller, storage, and compute functionality on a redundant pair of hosts (nodes 510A, 510B). In this configuration, the controller functionality (for control applications or implementations) is active/standby across the nodes 510A, 510B while the compute functionality (for all remaining processes) is active/active, meaning that VMs may be deployed to perform compute functionality on either host.

For example, LVM/iSCSI may be used as the volume backend that is replicated across the compute nodes, while each node also has a local disk for ephemeral storage. Processor bandwidth and memory may be also reserved for the controller function. This two-node solution may provide a lower cost and lower footprint solution when less processing and redundancy is needed.

FIG. 5B illustrates a second network configuration for deployment of SDIS subsystems. The second network configuration 550 may provide dedicated storage nodes with high capacity, scalability, and performance. As compared with the first network configuration 500, the second network configuration 550 allows controller, storage, and compute functionalities to be deployed on separate physical hosts, allowing storage and compute capacity to scale independently from each other.

In an example, the second network configuration may be provided from a configuration of up to eight storage nodes (nodes 530A-530N) and eight disks per storage node in a high availability (e.g., Ceph) cluster (e.g., coordinated by controller nodes 520A, 520B), with the high availability cluster providing image, volume, and objects storage for the compute nodes. For instance, up to 100 compute nodes (e.g., node 540) may be supported, each with its own local ephemeral storage for use by VMs. As will be understood, a variety of other network configurations may be implemented with use of the present SDIS architecture.

The SDIS architecture and accompanying data flows, orchestrations, and other features extended below, may also utilize aspects of Machine Learning, Cognitive Computing and Artificial Intelligence. For instance, The SDIS architecture may be integrated with a reference platform with foundations in hardware-based security, interoperable services, and open-source projects, including the use of big data analytics and machine learning for cybersecurity. The SDIS architecture may utilize immutable hardware elements to prove device trust, and characterize network traffic behavior based on filters augmented with machine learning to separate bad traffic from benign.

The various components of the SDIS architecture may be integrated with a rich set of security capabilities to enable an interoperable and secure industrial system within real-world industrial settings. For example, such security capabilities may include hardware-based roots of trust, trusted execution environments, protected device identity, virtualization capabilities, and cryptographic services upon which a robust, real-time security architecture may be founded. The configuration and functionality of such components within a functional SDIS architecture deployment is further discussed in the following sections.

Overview of Functional Orchestration

FIG. 6 illustrates an example of dynamically established set of orchestration operations 600 with use of a Composable Application System Layer (CSL) in a SDIS operational architecture. The CSL may be utilized to enable a secure design and orchestration of control functions and applications to support industrial operations.

In an example, the CSL maintains a library 680 of functional blocks 690, each representing control-loop logic and application components. Each functional block may be interoperable with other functional blocks. A functional block may have multiple implementations, making it portable, such that it may operate on various platform architectures and leverage special features if available (e.g. hardware accelerators). In an example, the CSL provides a control function for a cluster of edge nodes (e.g., ECNs); in further examples, the CSL provides control for VMs in the control server or other computation points in the SDIS operational architecture.

In an example, a process engineer (or other operator) defines control flows and applications by combining and configuring existing functional blocks 690 from the library 680. These functional blocks 690 may represent application logic or control loops (e.g., control loops 670, data storage, analytics modules, data acquisition or actuation modules, or the like), control modules, or any other computation elements. Because these functional blocks are reusable and interoperable, new code needs to be written only when new functional blocks are required. In further examples, such functional blocks may be utilized to implement end-to-end logic, including control flows or end-to-end applications using a graphical, drag-and-drop environment.

Starting from this application design, the CSL generates an orchestration plan 640 that specifies the required functional blocks and the requirements for points of computation to execute those functional blocks. As discussed in the following sections, orchestration 620 may encompass the process of mapping the orchestration plan 640 to available compute and communication resources. The orchestration 620 may be further adapted based on control standards design 610 (e.g., to conform the resulting orchestration to various control laws, standards, or requirements).

In an example, the CSL maintains a map 630 of computing and control resources across the SDIS network. The map 630 comprehends the topology of various compute points, from virtual machines in a data center to control points and the attached sensors and actuators. The map 630 also includes the hardware capabilities and dynamic characteristics of the control points. The map is updated regularly, allowing the system to constantly adapt to component failures. The orchestration 620 and the control loop 670 communicate using monitoring logic 650 and function deployments 660. The monitoring logic 650 outputs information from a field device or the control loop 670, which is used as an input to the map 630. The function deployment 660 is used as an input or state setting for the control loop 670.

When an operator deploys a new application definition (e.g., the orchestration 620 receives an output from the control standards design 610), the orchestration 620 determines how to best fit the functional blocks 660 to the set of available resources in map 630, and deploys the underlying software components that implement the functional blocks. Deployment of an end-to-end application may include, for example, creating virtual machines within a server, injecting code into control loops (e.g., control loops 670), and creating communication paths between components, as needed. Orchestration 620 also may be dynamic to allow functional blocks to be migrated upon failure of a computational resource, without requiring a system-wide restart. In addition, updates to the implementation of a component may be pushed, causing code to be updated as needed.

The CSL may also incorporate security and privacy features, such as to establish trust with participating devices (including edge nodes or a control server). In further examples, the CSL may be integrated with key-management used for onboarding new devices and revoking obsolete devices. The CSL may deliver keys to function blocks 660 to enable secure communication with other function blocks 660. The CSL may also deliver secured telemetry and control, integrity and isolated execution of deployed code, and integrity of communication among functional blocks.

Orchestration technologies today predominantly execute by function, application, virtual machine, or container technology. However, inherent dependencies between distributed applications are not generally managed in low-latency, high frequency mission-critical timeframes for control strategy implementations today. For embedded systems in general, dynamic orchestration historically has not been applied due to the technical limitations of managing application dependencies at runtime.

In an example, features of an SDIS architecture may be adapted to support the holistic orchestration and management of multiple dependent applications (function blocks) that execute across a distributed resource pool, to enable orchestration at an embedded control strategy level in a distributed system configuration. This provides a control strategy orchestration capability to operational technology environments while elevating overall system performance at an expected reduced total cost. For instance, an example orchestration method may incorporate dynamic network discovery, resource simulation in advance of any orchestration action, and simulation coupled with global resource optimization and prediction utilized as part of an orchestrator rule set decision tree.

The distributed resource pool may encompass applications that span: (a) a single application running in a single native device, where a second redundant application is available on an additional native device; (b) multiple coordinated applications running in multiple native devices; (c) multiple coordinated applications running in a single virtual machine, where the virtual machine is running on a single embedded device or server; (d) multiple coordinated applications running across multiple virtual machines, where each virtual machine runs in a dedicated embedded device or server; (e) multiple coordinated applications that span multiple containers contained in one virtual machine, where the virtual machine runs in a dedicated embedded device or server; or (f) multiple coordinated applications spanning multiple containers, where the containers are running on multiple embedded devices or servers. Any mixture of these application scenarios may also apply.

In an example, orchestration may include measurement of resources or reservation of resources, such as compute resources on a node (e.g., on the CPU or special purpose compute blocks like an FPGA or GPU), particular device capabilities (access to a sensor/actuator, security device (e.g., TPM), pre-installed software), storage resources on a node (memory or disk), network resources (latency or bandwidth, perhaps guaranteed via TSN), or the like.

An extended orchestrator rule set may be defined to include criteria beyond standard compute, storage, and memory metrics, such as to specify application cycle time, application runtime, application input/output signal dependency, or application process sequencing (e g a mandatory sequence that specifies which application(s) runs before or after other application blocks). This orchestration technique may provide the ability, at a distributed application control strategy level, to leverage lower cost commodity hardware and software to achieve better system performance at a control strategy level, while enabling new levels of system redundancy and failover at a lower cost across multiple applications running in ISA levels L1-L3. Further, orchestration sensitivity at the broader control strategy level may enable new levels of high availability for embedded systems at a lower cost. This may result in an increase of general system and application uptime for orchestrated and coordinated control applications, while reducing unplanned downtime for production operations at a higher ISA level than available with conventional approaches.

The following orchestration techniques may also enable additional maintenance tasks to occur (without production downtime) for systems where system redundancy is designed into the automation configuration. These techniques enable increased interoperability for where control strategies execute among vendor hardware where platform agnostic virtualization and containerization is leveraged. These techniques also leverage current, historical and simulation results to optimize workload placement for operational technology environments for real-time operations. Further, these techniques may leverage predictions of future orchestration events to pre-plan workload placement.

In an example, a distributed resource pool is defined as a combination of compute, storage, memory across networked computing assets with the addition of function block scheduling frequency, before and after processing assignments, latency tolerance for the purpose of executing application control strategies. For instance, a control strategy (or application), may be defined by a physically distributed, coordinated set of building blocks with very strict time, block-to-block scheduling, and run-time requirements for execution. The orchestration of these building blocks in time is coordinated with respect to the order of execution, processing latency and full execution cycle of all building blocks that make up the overall application control strategy.

Distributed Dynamic Architecture for Apps and Client Server Frameworks

In orchestrated systems, in an example, an application is defined as a set of modules interconnected through a topology. These modules are deployed on different logical nodes. Each logical node may correspond to a physical node, however, the mapping does not have to be 1:1. As long as the resources requirements are met, multiple logical nodes may be mapped to one physical node or multiple modules may be deployed on the same physical environment.

As the different modules are deployed, various errors, crashes or reboots of the module or the node may occur. In order to improve the resilience of the deployed application, redundancy may be used to improve availability. For example, a module may be deployed on two nodes (e.g., as a primary and a backup). When the primary node has an error, or otherwise fails, the orchestrator may switch to the backup node allowing it to take over. However, saving state of the module that went down is often non-trivial. In the systems and techniques disclosed herein, a system includes a peer-to-peer relationship among nodes on the same level in an application topology that may act as automatic backup nodes or coordinate to generate a backup. Using peer-to-peer coordination may allow for a saved state to be used, which may include listening to communication channels and redeploying the module on a different node in the case where a module or node fails or crashes.

Current redundancy solutions are manually defined or created in a redundant fashion. This makes it so that the reliability is high but the cost is also considerable since it requires duplication of resources. Manual redundancy is often challenging to define and maintain. Policies are often too simplistic and require too many resources. Further, requiring a central orchestrator to identify redundant nodes or replace failed nodes is costly and slow.

In an example, the techniques described herein may create automatic redundant nodes of modules that are based on communication patterns of the application. For example, when a first module sends data to a second module, then the node hosting the second module may become an automatic redundancy for the first module. The data generate by the first module is fed into the second module, allowing the first module to know what the inputs are to the second module. When the first module sends data to multiple modules instead of only the second module, then other issues may occur (or when the second module receives input from modules other than the first module). In these scenarios, it may be difficult to create a redundancy on any of these leaf nodes. Instead a peer-to-peer network created by the collection of nodes on the same layer may negotiate the status of a redundant node. This network of nodes may swap redundant sets among themselves with no major impact to the rest of the application.

FIG. 7 illustrates an example application connection diagram. In an example, different modules that form an application may be configured in an arrangement, such as the example shown in FIG. 7 . The connections show the flow of data among the different modules. These modules send data using a communication channel which could be running in either client/server or pub/sub mode. In this example, when an orchestrator deploys these modules, the orchestrator may choose to deploy each module on a separate compute node or with multiple modules on a single node. In this example, for simplicity, a single module is deployed on a single node. Other examples may supply redundant options when multiple modules are on a failed node, or when a module has an error (e.g., when another module on the node does not have an error).

In an example, the module B on node 720 is sending data to both modules E on node 740 and D on node 730. When module B experiences a failure then the following operations may be executed. The operations may be executed by peer-to-peer nodes, such as node 710, node 730 and node 740. The executions may include detecting the failure, redeploying module B on a replacement node (e.g., when the node 720 fails), rewire inputs (e.g., from module A) or outputs (e.g., to modules E or D), as needed, and recover a previous state of module B, which may be transferred to the replacement node.

In the example shown in FIG. 7 , the neighbors of module B (e.g., modules A, D, and E) may create a peer-to-peer network with the purpose of taking over when module B fails (e.g., when node 720 fails). In this example, the neighboring modules are positioned to re-create the state of module B because modules A, D, and E have direct contact with the input and output channels of module B. These three neighboring modules may go through a leader-election algorithm or other technique for selecting a replacement node.

In an example, the executable for module B may be deployed on one or more of the three nodes (e.g., 710, 730, or 740) or one or more of the three nodes may manage where the redundant software resides. In an example, one or more of these three nodes may manage routing the inputs or outputs in case of failure of node 720. In another example, the data may be routed even if no failure is detected (e.g., for redundancy purposes). Backing up module B using one of these techniques allows for a seamless switch to the redundant node in case of failure since these nodes are in control of where the data is flowing. In an example, a redundant node or nodes may run a shadow node with the software for the entire period of operation as a redundancy.

In the example shown in FIG. 7 , module B has neighbors of modules A, D, and E. These four modules establish a neighborhood around B, (e.g., a peer-to-peer network), and create a contingency plan for when module B fails. The plan may include using a leader-election algorithm or other technique to select a control node (e.g., node 710 is elected as having more resources to run the redundant node for module B, such as on additional resources of node 710). The control node or a selected replacement node may not be connected directly to the failed node 720, may store a redundancy of module B. When the node 720 fails, there is a redundancy for module B, the redundant node may then execute module B seamlessly. For example, module A may create a channel to let module B know about a redundant node running a redundant version of module B. Then module B and the redundant version may be in contact, where module B may send state details to the redundant module to let the redundant module be aware of context in case module B crashes.

FIG. 8 illustrates an example architectural view of an application with a redundant node. In FIG. 8 , the 3 nodes (810, 830, and 840) hosting modules A, D, and E form a peer-to-peer network. Module A is the leader of the network and manages hosting Module B′ on a redundant node 825. Module A may also route its output as inputs to both nodes 820 and 825. In the example of FIG. 8 , module B′ is constantly computing an output (e.g., the same as module B) even though module B′ is not connected to anything.

With this arrangement, the application takes ownership of its own resilience independent of the Orchestrator 805 (which may be used to set up the application or network configuration and then may be disconnected). The independence of the application may allow for a complete disconnect from the Orchestrator 805 without sacrificing reliability.

In certain examples, when the physical nodes hosting the modules are resource-restricted, it may not be feasible to have module B′ run all computations. However, in order to achieve full redundancy, one of the options as described below may be implemented.

One option includes executing module B in a virtual machine. In this example, the system may make a copy of the virtual machine whenever available resources may allow it to do so without compromising the operation of the rest of the application (e.g., by waiting for downtime or extra resources on a node becoming available). By doing so, the state of Module B may be reserved (e.g., as an image of the virtual machine).

In another option, module B may support swapping, which allows module B to have an interface to submit its internal parameters and state information to module B′. This redundant operation may be performed regularly allowing module B to save its state. The frequency of the update may be dependent on how large the module B is and whether the update may be done while continuing to meet the requirements of the different modules and the application as a whole.

In an example, when module D is elected as a leader, module D may listen to all the channels that module B′ needs to make sure that data is not lost (e.g., output from module A). This makes it possible to forward the data to module B′ when needed. Similarly, module D may set up module B′ to listen to the channel (e.g., output from module A) without module D directly listening to the channel.

In some examples, an orchestrator or application developer may decide that a certain module is too important for the application or is a single point of failure. In this scenario, this module may be assigned more than one redundant module. For example, the network formed by the three nodes may then create multiple redundant modules, (e.g., module B′ and module B″, not shown). Each one of these modules may have a different synchronization policy to create diversity or add resilience.

Typically, applications do not exist in a silo, but are often connected to other applications. Similar to the techniques and systems described above, replacing a module with an application allows a system to provide redundancy on a micro or macro level. For example, Application I may connect to Application II and become a leader in creating a redundancy and redundant policy (e.g., in case an application fails).

In the case of cascading failures or major disruptions, creating such strategies and allowing applications to take ownership of their own policies may provide redundancies without unnecessary costs. Fully distributed systems are often harder to manage but offer a higher degree of resilience due to the lack of a central authority which may turn into a single point of failure. So, in this case, each application may have its own reliability policy and strategies. In an example, applications may interconnect and apply their own macro reliability strategies. In an example, when two or more modules, nodes, or applications fail, remaining modules, nodes, or applications may act as redundancies for the failures. For example, if two nodes fail, a single node may replace both or two or more nodes may replace the two failed nodes.

The redundant applications or modules with macro or micro reliability strategies may provide protection when a system is under a security attack. Multiple failures may be detected on the macro level and accordingly strategies may change. For example, when a failure threatens to potentially wipe out applications that are in close vicinity, the strategy of the deployment may assign, on purpose, a distant neighbor as part of the community to save the state, module, or application from total failure. When security is considered in the example of FIG. 8 , module F or module C may join the network and be assigned a role. The role may not be the leader but rather a member of the community. In other words, module C may not spend too many resources managing module B′. Instead module C may make a redundant copy of module B (e.g., every so often) but not instantiate it. This may sacrifice some of the seamless properties (e.g., state may be a bit stale) but offers additional guarantees and layers of redundancy with minimal cost to the system as a whole. The concept same may apply to applications such that if part of an on premise data center becomes unusable, another data center in a different location may take over with slightly stale state and internal variable values allowing the operations to continue.

FIG. 9 illustrates a flowchart of a method for creating an automatic redundant module of an application on a redundant node based on communication patterns of the application according to an example. Flowchart 900 includes an operation 910 to create a peer-to-peer neighbor network. Flowchart 900 includes an operation 920 to render a redundant module on a redundant node, the redundant module corresponding to a module of an application on a node. Flowchart 900 includes an operation 930 to detect a failure of the node of the module. Flowchart 900 includes an operation 940 to activate the redundant module on the redundant node by rewiring inputs and outputs from the module to the redundant module. Flowchart 900 includes an operation 950 to recover a previous state off the module and transfer it to the redundant module. Flowchart 900 includes an operation 960 to continue executing the module using the redundant module. Flowchart 900 includes an operation 970 to report the failure of the node.

FIG. 10 illustrates a flowchart 1000 of a method for activating a CPU according to an example. The operations of flowchart 1000 may be performed by an orchestration server.

The flowchart 1000 includes an optional operation 1010 to configure an application including a set of distributed nodes to run on an orchestrated system. The flowchart 1000 includes an operation 1020 to run a first module on a first node, the first module having a first output. The flowchart 1000 includes an operation 1030 to run a second module on a second node, the second module using the first output as an input. The flowchart 1000 includes an operation 1040 to provide a second output from the second module to a third module running on a third node.

The flowchart 1000 includes an operation 1050 performed in response to detection of a failure of the second node, to determine a replacement node for redeploying the second module by coordinating between the first node and the third node. In an example, determining the replacement node includes identifying a redundant node preconfigured to receive the first output and operate the second module. The redundant node may be disconnected from any nodes (e.g., prevented from providing output to any nodes) until after the redundant node is operating as the replacement node, for example receiving input and calculating an output for maintaining a state of the second module, but not being connected to any other node. In an example, parameters and state information about the second module may be sent from the second node, the first node, or the third node, to the redundant node, such as periodically, whenever an output is generated, or the like. In another example, in response to the redundant node failing, a second redundant node may be identified to become the replacement node (e.g., for critical modules).

In an example, determining the redundant node includes determining a set of nodes connected to the second node. The set of nodes may include one or more input nodes or one or more output nodes, such as with directional indications. The replacement node may be connected to the first node to receive output from the first module and connected to the third node to provide output from the second module to the third module, for example.

A further operation may include saving, such as at the first node, a redundant state of the second module when the first output is generated. In an example, an orchestration server may initially generate a configuration of modules on nodes (e.g., the first module on the first node, etc.). In this example the orchestration server may be disconnected, for example, before any failures such as the second node failure. The first node and the third node may coordinate to determine the replacement node without help from the orchestration server. In an example, the second node may be implanted on a virtual machine. The second module may then be instantiated in the replacement node based on an image of the second node on the virtual machine.

IoT Devices and Networks

The techniques described above may be implemented in connection with a variety of device deployments, including in those of any number of IoT networks and topologies. Accordingly, it will be understood that various embodiments of the present techniques may involve the coordination of edge devices, the fog and intermediary devices, and cloud entities among heterogeneous and homogeneous networks. Some of the example topologies and arrangements of such networks are provided in the following paragraphs.

FIG. 11 illustrates an example domain topology for respective internet-of-things (IoT) networks coupled through links to respective gateways. The internet of things (IoT) is a concept in which a large number of computing devices are interconnected to each other and to the Internet to provide functionality and data acquisition at very low levels. Thus, as used herein, an IoT device may include a semiautonomous device performing a function, such as sensing or control, among others, in communication with other IoT devices and a wider network, such as the Internet.

IoT devices are physical objects that may communicate on a network, and may include sensors, actuators, and other input/output components, such as to collect data or perform actions from a real world environment. For example, IoT devices may include low-powered devices that are embedded or attached to everyday things, such as buildings, vehicles, packages, etc., to provide an additional level of artificial sensory perception of those things. Recently, IoT devices have become more popular and thus applications using these devices have proliferated.

Often, IoT devices are limited in memory, size, or functionality, allowing larger numbers to be deployed for a similar cost to smaller numbers of larger devices. However, an IoT device may be a smart phone, laptop, tablet, or PC, or other larger device. Further, an IoT device may be a virtual device, such as an application on a smart phone or other computing device. IoT devices may include IoT gateways, used to couple IoT devices to other IoT devices and to cloud applications, for data storage, process control, and the like.

Networks of IoT devices may include commercial and home automation devices, such as water distribution systems, electric power distribution systems, pipeline control systems, plant control systems, light switches, thermostats, locks, cameras, alarms, motion sensors, and the like. The IoT devices may be accessible through remote computers, servers, and other systems, for example, to control systems or access data.

The future growth of the Internet and like networks may involve very large numbers of IoT devices. Accordingly, in the context of the techniques discussed herein, a number of innovations for such future networking will address the need for all these layers to grow unhindered, to discover and make accessible connected resources, and to support the ability to hide and compartmentalize connected resources. Any number of network protocols and communications standards may be used, wherein each protocol and standard is designed to address specific objectives. Further, the protocols are part of the fabric supporting human accessible services that operate regardless of location, time or space. The innovations include service delivery and associated infrastructure, such as hardware and software; security enhancements; and the provision of services based on Quality of Service (QoS) terms specified in service level and service delivery agreements. As will be understood, the use of IoT devices and networks, such as those introduced in the system examples discussed above, present a number of new challenges in a heterogeneous network of connectivity comprising a combination of wired and wireless technologies.

FIG. 11 specifically provides a simplified drawing of a domain topology that may be used for a number of internet-of-things (IoT) networks comprising IoT devices 1104, with the IoT networks 1156, 1158, 1160, 1162, coupled through backbone links 1102 to respective gateways 1154. For example, a number of IoT devices 1104 may communicate with a gateway 1154, and with each other through the gateway 1154. To simplify the drawing, not every IoT device 1104, or communications link (e.g., link 1116, 1122, 1128, or 1132) is labeled. The backbone links 1102 may include any number of wired or wireless technologies, including optical networks, and may be part of a local area network (LAN), a wide area network (WAN), or the Internet. Additionally, such communication links facilitate optical signal paths among both IoT devices 1104 and gateways 1154, including the use of MUXing/deMUXing components that facilitate interconnection of the various devices.

The network topology may include any number of types of IoT networks, such as a mesh network provided with the network 1156 using Bluetooth low energy (BLE) links 1122. Other types of IoT networks that may be present include a wireless local area network (WLAN) network 1158 used to communicate with IoT devices 1104 through IEEE 802.11 (Wi-Fi®) links 1128, a cellular network 1160 used to communicate with IoT devices 1104 through an LTE/LTE-A (4G) or 5G cellular network, and a low-power wide area (LPWA) network 1162, for example, a LPWA network compatible with the LoRaWan specification promulgated by the LoRa alliance, or a IPv6 over Low Power Wide-Area Networks (LPWAN) network compatible with a specification promulgated by the Internet Engineering Task Force (IETF). Further, the respective IoT networks may communicate with an outside network provider (e.g., a tier 2 or tier 3 provider) using any number of communications links, such as an LTE cellular link, an LPWA link, or a link based on the IEEE 802.15.4 standard, such as Zigbee®. The respective IoT networks may also operate with use of a variety of network and internet application protocols such as Constrained Application Protocol (CoAP). The respective IoT networks may also be integrated with coordinator devices that provide a chain of links that forms cluster tree of linked devices and networks.

Each of these IoT networks may provide opportunities for new technical features, such as those as described herein. The improved technologies and networks may enable the exponential growth of devices and networks, including the use of IoT networks into as fog devices or systems. As the use of such improved technologies grows, the IoT networks may be developed for self-management, functional evolution, and collaboration, without needing direct human intervention. The improved technologies may even enable IoT networks to function without centralized controlled systems. Accordingly, the improved technologies described herein may be used to automate and enhance network management and operation functions far beyond current implementations.

In an example, communications between IoT devices 1104, such as over the backbone links 1102, may be protected by a decentralized system for authentication, authorization, and accounting (AAA). In a decentralized AAA system, distributed payment, credit, audit, authorization, and authentication systems may be implemented across interconnected heterogeneous network infrastructure. This allows systems and networks to move towards autonomous operations. In these types of autonomous operations, machines may even contract for human resources and negotiate partnerships with other machine networks. This may allow the achievement of mutual objectives and balanced service delivery against outlined, planned service level agreements as well as achieve solutions that provide metering, measurements, traceability and trackability. The creation of new supply chain structures and methods may enable a multitude of services to be created, mined for value, and collapsed without any human involvement.

Such IoT networks may be further enhanced by the integration of sensing technologies, such as sound, light, electronic traffic, facial and pattern recognition, smell, vibration, into the autonomous organizations among the IoT devices. The integration of sensory systems may allow systematic and autonomous communication and coordination of service delivery against contractual service objectives, orchestration and quality of service (QoS) based swarming and fusion of resources. Some of the individual examples of network-based resource processing include the following.

The mesh network 1156, for instance, may be enhanced by systems that perform inline data-to-information transforms. For example, self-forming chains of processing resources comprising a multi-link network may distribute the transformation of raw data to information in an efficient manner, and the ability to differentiate between assets and resources and the associated management of each. Furthermore, the proper components of infrastructure and resource based trust and service indices may be inserted to improve the data integrity, quality, assurance and deliver a metric of data confidence.

The WLAN network 1158, for instance, may use systems that perform standards conversion to provide multi-standard connectivity, enabling IoT devices 1104 using different protocols to communicate. Further systems may provide seamless interconnectivity across a multi-standard infrastructure comprising visible Internet resources and hidden Internet resources.

Communications in the cellular network 1160, for instance, may be enhanced by systems that offload data, extend communications to more remote devices, or both. The LPWA network 1162 may include systems that perform non-Internet protocol (IP) to IP interconnections, addressing, and routing. Further, each of the IoT devices 1104 may include the appropriate transceiver for wide area communications with that device. Further, each IoT device 1104 may include other transceivers for communications using additional protocols and frequencies. This is discussed further with respect to the communication environment and hardware of an IoT processing device depicted in FIGS. 13 and 14 .

Finally, clusters of IoT devices may be equipped to communicate with other IoT devices as well as with a cloud network. This may allow the IoT devices to form an ad-hoc network between the devices, allowing them to function as a single device, which may be termed a fog device. This configuration is discussed further with respect to FIG. 12 below.

FIG. 12 illustrates a cloud computing network in communication with a mesh network of IoT devices (devices 1202) operating as a fog device at the edge of the cloud computing network. The mesh network of IoT devices may be termed a fog 1220, operating at the edge of the cloud 1200. To simplify the diagram, not every IoT device 1202 is labeled.

The fog 1220 may be considered to be a massively interconnected network wherein a number of IoT devices 1202 are in communications with each other, for example, by radio links 1222. As an example, this interconnected network may be facilitated using an interconnect specification released by the Open Connectivity Foundation™ (OCF). This standard allows devices to discover each other and establish communications for interconnects. Other interconnection protocols may also be used, including, for example, the optimized link state routing (OLSR) Protocol, the better approach to mobile ad-hoc networking (B.A.T.M.A.N.) routing protocol, or the OMA Lightweight M2M (LWM2M) protocol, among others.

Three types of IoT devices 1202 are shown in this example, gateways 1204, data aggregators 1226, and sensors 1228, although any combinations of IoT devices 1202 and functionality may be used. The gateways 1204 may be edge devices that provide communications between the cloud 1200 and the fog 1220, and may also provide the backend process function for data obtained from sensors 1228, such as motion data, flow data, temperature data, and the like. The data aggregators 1226 may collect data from any number of the sensors 1228, and perform the processing function for the analysis. The results, raw data, or both may be passed along to the cloud 1200 through the gateways 1204. The sensors 1228 may be full IoT devices 1202, for example, capable of both collecting data and processing the data. In some cases, the sensors 1228 may be more limited in functionality, for example, collecting the data and allowing the data aggregators 1226 or gateways 1204 to process the data.

Communications from any IoT device 1202 may be passed along a convenient path (e.g., a most convenient path) between any of the IoT devices 1202 to reach the gateways 1204. In these networks, the number of interconnections provide substantial redundancy, allowing communications to be maintained, even with the loss of a number of IoT devices 1202. Further, the use of a mesh network may allow IoT devices 1202 that are very low power or located at a distance from infrastructure to be used, as the range to connect to another IoT device 1202 may be much less than the range to connect to the gateways 1204.

The fog 1220 provided from these IoT devices 1202 may be presented to devices in the cloud 1200, such as a server 1206, as a single device located at the edge of the cloud 1200, e.g., a fog device. In this example, the alerts coming from the fog device may be sent without being identified as coming from a specific IoT device 1202 within the fog 1220. In this fashion, the fog 1220 may be considered a distributed platform that provides computing and storage resources to perform processing or data-intensive tasks such as data analytics, data aggregation, and machine-learning, among others.

In some examples, the IoT devices 1202 may be configured using an imperative programming style, e.g., with each IoT device 1202 having a specific function and communication partners. However, the IoT devices 1202 forming the fog device may be configured in a declarative programming style, allowing the IoT devices 1202 to reconfigure their operations and communications, such as to determine needed resources in response to conditions, queries, and device failures. As an example, a query from a user located at a server 1206 about the operations of a subset of equipment monitored by the IoT devices 1202 may result in the fog 1220 device selecting the IoT devices 1202, such as particular sensors 1228, needed to answer the query. The data from these sensors 1228 may then be aggregated and analyzed by any combination of the sensors 1228, data aggregators 1226, or gateways 1204, before being sent on by the fog 1220 device to the server 1206 to answer the query. In this example, IoT devices 1202 in the fog 1220 may select the sensors 1228 used based on the query, such as adding data from flow sensors or temperature sensors. Further, if some of the IoT devices 1202 are not operational, other IoT devices 1202 in the fog 1220 device may provide analogous data, if available.

In an example, the various aspects of workload orchestration and operations may be adapted to the various network topologies and approaches depicted in FIG. 12 . For example, a system may establish a variety of workloads executing in the cloud 1200 in coordination with the IoT devices 1202. These workloads could be orchestrated in the cloud 1200 or fog 1220 from the edge (e.g., from IoT devices 1202), or such workloads may be orchestrated on the edge by the cloud 1200 or the fog 1220. Such concepts may also apply to gateways 1204 and data aggregators 1226 and other devices and nodes within the network topology.

In other examples, the operations and functionality described above with reference to the systems described above may be embodied by an IoT device machine in the example form of an electronic processing system, within which a set or sequence of instructions may be executed to cause the electronic processing system to perform any one of the methodologies discussed herein, according to an example. The machine may be an IoT device or an IoT gateway, including a machine embodied by aspects of a personal computer (PC), a tablet PC, a personal digital assistant (PDA), a mobile telephone or smartphone, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine may be depicted and referenced in the example above, such machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein. Further, these and like examples to a processor-based system shall be taken to include any set of one or more machines that are controlled by or operated by a processor (e.g., a computer) to individually or jointly execute instructions to perform any one or more of the methodologies discussed herein.

FIG. 13 illustrates a drawing of a cloud computing network, or cloud 1300, in communication with a number of Internet of Things (IoT) devices. The cloud 1300 may represent the Internet, or may be a local area network (LAN), or a wide area network (WAN), such as a proprietary network for a company. The IoT devices may include any number of different types of devices, grouped in various combinations. For example, a traffic control group 1306 may include IoT devices along streets in a city. These IoT devices may include stoplights, traffic flow monitors, cameras, weather sensors, and the like. The traffic control group 1306, or other subgroups, may be in communication with the cloud 1300 through wired or wireless links 1308, such as LPWA links, optical links, and the like. Further, a wired or wireless sub-network 1312 may allow the IoT devices to communicate with each other, such as through a local area network, a wireless local area network, and the like. The IoT devices may use another device, such as a gateway 1310 or 1328 to communicate with remote locations such as the cloud 1300; the IoT devices may also use one or more servers 1330 to facilitate communication with the cloud 1300 or with the gateway 1310. For example, the one or more servers 1330 may operate as an intermediate network node to support a local edge cloud or fog implementation among a local area network. Further, the gateway 1328 that is depicted may operate in a cloud-to-gateway-to-many edge devices configuration, such as with the various IoT devices 1314, 1320, 1324 being constrained or dynamic to an assignment and use of resources in the cloud 1300.

Other example groups of IoT devices may include remote weather stations 1314, local information terminals 1316, alarm systems 1318, automated teller machines 1320, alarm panels 1322, or moving vehicles, such as emergency vehicles 1324 or other vehicles 1326, among many others. Each of these IoT devices may be in communication with other IoT devices, with servers 1304, with another IoT fog device or system (not shown, but depicted in FIG. 12 ), or a combination therein. The groups of IoT devices may be deployed in various residential, commercial, and industrial settings (including in both private or public environments).

As may be seen from FIG. 13 , a large number of IoT devices may be communicating through the cloud 1300. This may allow different IoT devices to request or provide information to other devices autonomously. For example, a group of IoT devices (e.g., the traffic control group 1306) may request a current weather forecast from a group of remote weather stations 1314, which may provide the forecast without human intervention. Further, an emergency vehicle 1324 may be alerted by an automated teller machine 1320 that a burglary is in progress. As the emergency vehicle 1324 proceeds towards the automated teller machine 1320, it may access the traffic control group 1306 to request clearance to the location, for example, by lights turning red to block cross traffic at an intersection in sufficient time for the emergency vehicle 1324 to have unimpeded access to the intersection.

Clusters of IoT devices, such as the remote weather stations 1314 or the traffic control group 1306, may be equipped to communicate with other IoT devices as well as with the cloud 1300. This may allow the IoT devices to form an ad-hoc network between the devices, allowing them to function as a single device, which may be termed a fog device or system (e.g., as described above with reference to FIG. 12 ).

FIG. 14 is a block diagram of an example of components that may be present in an IoT device 1450 for implementing the techniques described herein. The IoT device 1450 may include any combinations of the components shown in the example or referenced in the disclosure above. The components may be implemented as ICs, portions thereof, discrete electronic devices, or other modules, logic, hardware, software, firmware, or a combination thereof adapted in the IoT device 1450, or as components otherwise incorporated within a chassis of a larger system. Additionally, the block diagram of FIG. 14 is intended to depict a high-level view of components of the IoT device 1450. However, some of the components shown may be omitted, additional components may be present, and different arrangement of the components shown may occur in other implementations.

The IoT device 1450 may include a processor 1452, which may be a microprocessor, a multi-core processor, a multithreaded processor, an ultra-low voltage processor, an embedded processor, or other known processing element. The processor 1452 may be a part of a system on a chip (SoC) in which the processor 1452 and other components are formed into a single integrated circuit, or a single package, such as the Edison™ or Galileo™ SoC boards from Intel. As an example, the processor 1452 may include an Intel® Architecture Core™ based processor, such as a Quark™, an Atom™, an i3, an i5, an i7, or an MCU-class processor, or another such processor available from Intel® Corporation, Santa Clara, Calif. However, any number other processors may be used, such as available from Advanced Micro Devices, Inc. (AMD) of Sunnyvale, Calif., a MIPS-based design from MIPS Technologies, Inc. of Sunnyvale, Calif., an ARM-based design licensed from ARM Holdings, Ltd. or customer thereof, or their licensees or adopters. The processors may include units such as an A5-A10 processor from Apple® Inc., a Snapdragon™ processor from Qualcomm® Technologies, Inc., or an OMAP™ processor from Texas Instruments, Inc.

The processor 1452 may communicate with a system memory 1454 over an interconnect 1456 (e.g., a bus). Any number of memory devices may be used to provide for a given amount of system memory. As examples, the memory may be random access memory (RAM) in accordance with a Joint Electron Devices Engineering Council (JEDEC) design such as the DDR or mobile DDR standards (e.g., LPDDR, LPDDR2, LPDDR3, or LPDDR4). In various implementations the individual memory devices may be of any number of different package types such as single die package (SDP), dual die package (DDP) or quad die package (Q17P). These devices, in some examples, may be directly soldered onto a motherboard to provide a lower profile solution, while in other examples the devices are configured as one or more memory modules that in turn couple to the motherboard by a given connector. Any number of other memory implementations may be used, such as other types of memory modules, e.g., dual inline memory modules (DIMMs) of different varieties including but not limited to microDIMMs or MiniDIMMs.

To provide for persistent storage of information such as data, applications, operating systems and so forth, a storage 1458 may also couple to the processor 1452 via the interconnect 1456. In an example the storage 1458 may be implemented via a solid state disk drive (SSDD). Other devices that may be used for the storage 1458 include flash memory cards, such as SD cards, microSD cards, xD picture cards, and the like, and USB flash drives. In low power implementations, the storage 1458 may be on-die memory or registers associated with the processor 1452. However, in some examples, the storage 1458 may be implemented using a micro hard disk drive (HDD). Further, any number of new technologies may be used for the storage 1458 in addition to, or instead of, the technologies described, such resistance change memories, phase change memories, holographic memories, or chemical memories, among others.

The components may communicate over the interconnect 1456. The interconnect 1456 may include any number of technologies, including industry standard architecture (ISA), extended ISA (EISA), peripheral component interconnect (PCI), peripheral component interconnect extended (PCIx), PCI express (PCIe), or any number of other technologies. The interconnect 1456 may be a proprietary bus, for example, used in a SoC based system. Other bus systems may be included, such as an I2C interface, an SPI interface, point to point interfaces, and a power bus, among others.

The interconnect 1456 may couple the processor 1452 to a mesh transceiver 1462, for communications with other mesh devices 1464. The mesh transceiver 1462 may use any number of frequencies and protocols, such as 2.4 Gigahertz (GHz) transmissions under the IEEE 802.15.4 standard, using the Bluetooth® low energy (BLE) standard, as defined by the Bluetooth® Special Interest Group, or the ZigBee® standard, among others. Any number of radios, configured for a particular wireless communication protocol, may be used for the connections to the mesh devices 1464. For example, a WLAN unit may be used to implement Wi-Fi™ communications in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard. In addition, wireless wide area communications, e.g., according to a cellular or other wireless wide area protocol, may occur via a WWAN unit.

The mesh transceiver 1462 may communicate using multiple standards or radios for communications at different range. For example, the IoT device 1450 may communicate with close devices, e.g., within about 10 meters, using a local transceiver based on BLE, or another low power radio, to save power. More distant mesh devices 1464, e.g., within about 50 meters, may be reached over ZigBee or other intermediate power radios. Both communications techniques may take place over a single radio at different power levels, or may take place over separate transceivers, for example, a local transceiver using BLE and a separate mesh transceiver using ZigBee.

A wireless network transceiver 1466 may be included to communicate with devices or services in the cloud 1400 via local or wide area network protocols. The wireless network transceiver 1466 may be a LPWA transceiver that follows the IEEE 802.15.4, or IEEE 802.15.4g standards, among others. The IoT device 1450 may communicate over a wide area using LoRaWAN™ (Long Range Wide Area Network) developed by Semtech and the LoRa Alliance. The techniques described herein are not limited to these technologies, but may be used with any number of other cloud transceivers that implement long range, low bandwidth communications, such as Sigfox, and other technologies. Further, other communications techniques, such as time-slotted channel hopping, described in the IEEE 802.15.4e specification may be used.

Any number of other radio communications and protocols may be used in addition to the systems mentioned for the mesh transceiver 1462 and wireless network transceiver 1466, as described herein. For example, the radio transceivers 1462 and 1466 may include an LTE or other cellular transceiver that uses spread spectrum (SPA/SAS) communications for implementing high speed communications. Further, any number of other protocols may be used, such as Wi-Fi® networks for medium speed communications and provision of network communications.

The radio transceivers 1462 and 1466 may include radios that are compatible with any number of 3GPP (Third Generation Partnership Project) specifications, notably Long Term Evolution (LTE), Long Term Evolution-Advanced (LTE-A), and Long Term Evolution-Advanced Pro (LTE-A Pro). It may be noted that radios compatible with any number of other fixed, mobile, or satellite communication technologies and standards may be selected. These may include, for example, any Cellular Wide Area radio communication technology, which may include e.g. a 5th Generation (5G) communication systems, a Global System for Mobile Communications (GSM) radio communication technology, a General Packet Radio Service (GPRS) radio communication technology, or an Enhanced Data Rates for GSM Evolution (EDGE) radio communication technology, a UMTS (Universal Mobile Telecommunications System) communication technology, In addition to the standards listed above, any number of satellite uplink technologies may be used for the wireless network transceiver 1466, including, for example, radios compliant with standards issued by the ITU (International Telecommunication Union), or the ETSI (European Telecommunications Standards Institute), among others. The examples provided herein are thus understood as being applicable to various other communication technologies, both existing and not yet formulated.

A network interface controller (NIC) 1468 may be included to provide a wired communication to the cloud 1400 or to other devices, such as the mesh devices 1464. The wired communication may provide an Ethernet connection, or may be based on other types of networks, such as Controller Area Network (CAN), Local Interconnect Network (LIN), DeviceNet, ControlNet, Data Highway+, PROFIBUS, or PROFINET, among many others. An additional NIC 1468 may be included to allow connect to a second network, for example, a NIC 1468 providing communications to the cloud over Ethernet, and a second NIC 1468 providing communications to other devices over another type of network.

The interconnect 1456 may couple the processor 1452 to an external interface 1470 that is used to connect external devices or subsystems. The external devices may include sensors 1472, such as accelerometers, level sensors, flow sensors, optical light sensors, camera sensors, temperature sensors, a global positioning system (GPS) sensors, pressure sensors, barometric pressure sensors, and the like. The external interface 1470 further may be used to connect the IoT device 1450 to actuators 1474, such as power switches, valve actuators, an audible sound generator, a visual warning device, and the like.

In some optional examples, various input/output (I/O) devices may be present within, or connected to, the IoT device 1450. For example, a display or other output device 1484 may be included to show information, such as sensor readings or actuator position. An input device 1486, such as a touch screen or keypad may be included to accept input. An output device 1484 may include any number of forms of audio or visual display, including simple visual outputs such as binary status indicators (e.g., LEDs) and multi-character visual outputs, or more complex outputs such as display screens (e.g., LCD screens), with the output of characters, graphics, multimedia objects, and the like being generated or produced from the operation of the IoT device 1450.

A battery 1476 may power the IoT device 1450, although in examples in which the IoT device 1450 is mounted in a fixed location, it may have a power supply coupled to an electrical grid. The battery 1476 may be a lithium ion battery, or a metal-air battery, such as a zinc-air battery, an aluminum-air battery, a lithium-air battery, and the like.

A battery monitor/charger 1478 may be included in the IoT device 1450 to track the state of charge (SoCh) of the battery 1476. The battery monitor/charger 1478 may be used to monitor other parameters of the battery 1476 to provide failure predictions, such as the state of health (SoH) and the state of function (SoF) of the battery 1476. The battery monitor/charger 1478 may include a battery monitoring integrated circuit, such as an LTC4020 or an LTC2990 from Linear Technologies, an ADT7488A from ON Semiconductor of Phoenix Ariz., or an IC from the UCD90xxx family from Texas Instruments of Dallas, Tex. The battery monitor/charger 1478 may communicate the information on the battery 1476 to the processor 1452 over the interconnect 1456. The battery monitor/charger 1478 may also include an analog-to-digital (ADC) convertor that allows the processor 1452 to directly monitor the voltage of the battery 1476 or the current flow from the battery 1476. The battery parameters may be used to determine actions that the IoT device 1450 may perform, such as transmission frequency, mesh network operation, sensing frequency, and the like.

A power block 1480, or other power supply coupled to a grid, may be coupled with the battery monitor/charger 1478 to charge the battery 1476. In some examples, the power block 1480 may be replaced with a wireless power receiver to obtain the power wirelessly, for example, through a loop antenna in the IoT device 1450. A wireless battery charging circuit, such as an LTC4020 chip from Linear Technologies of Milpitas, Calif., among others, may be included in the battery monitor/charger 1478. The specific charging circuits chosen depend on the size of the battery 1476, and thus, the current required. The charging may be performed using the Airfuel standard promulgated by the Airfuel Alliance, the Qi wireless charging standard promulgated by the Wireless Power Consortium, or the Rezence charging standard, promulgated by the Alliance for Wireless Power, among others.

The storage 1458 may include instructions 1482 in the form of software, firmware, or hardware commands to implement the techniques described herein. Although such instructions 1482 are shown as code blocks included in the memory 1454 and the storage 1458, it may be understood that any of the code blocks may be replaced with hardwired circuits, for example, built into an application specific integrated circuit (ASIC).

In an example, the instructions 1482 provided via the memory 1454, the storage 1458, or the processor 1452 may be embodied as a non-transitory, machine readable medium 1460 including code to direct the processor 1452 to perform electronic operations in the IoT device 1450. The processor 1452 may access the non-transitory, machine readable medium 1460 over the interconnect 1456. For instance, the non-transitory, machine readable medium 1460 may be embodied by devices described for the storage 1458 of FIG. 14 or may include specific storage units such as optical disks, flash drives, or any number of other hardware devices. The non-transitory, machine readable medium 1460 may include instructions to direct the processor 1452 to perform a specific sequence or flow of actions, for example, as described with respect to the flowchart(s) and block diagram(s) of operations and functionality depicted above.

In further examples, a machine-readable medium also includes any tangible medium that is capable of storing, encoding or carrying instructions for execution by a machine and that cause the machine to perform any one or more of the methodologies of the present disclosure or that is capable of storing, encoding or carrying data structures utilized by or associated with such instructions. A “machine-readable medium” thus may include, but is not limited to, solid-state memories, and optical and magnetic media. Specific examples of machine-readable media include non-volatile memory, including but not limited to, by way of example, semiconductor memory devices (e.g., electrically programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM)) and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The instructions embodied by a machine-readable medium may further be transmitted or received over a communications network using a transmission medium via a network interface device utilizing any one of a number of transfer protocols (e.g., HTTP).

It should be understood that the functional units or capabilities described in this specification may have been referred to or labeled as components or modules, in order to more particularly emphasize their implementation independence. Such components may be embodied by any number of software or hardware forms. For example, a component or module may be implemented as a hardware circuit comprising custom very-large-scale integration (VLSI) circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A component or module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like. Components or modules may also be implemented in software for execution by various types of processors. An identified component or module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions, which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified component or module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the component or module and achieve the stated purpose for the component or module.

Indeed, a component or module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices or processing systems. In particular, some aspects of the described process (such as code rewriting and code analysis) may take place on a different processing system (e.g., in a computer in a data center), than that in which the code is deployed (e.g., in a computer embedded in a sensor or robot). Similarly, operational data may be identified and illustrated herein within components or modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network. The components or modules may be passive or active, including agents operable to perform desired functions.

Additional examples of the presently described method, system, and device embodiments include the following, non-limiting configurations. Each of the following non-limiting examples may stand on its own, or may be combined in any permutation or combination with any one or more of the other examples provided below or throughout the present disclosure.

Example 1 is an orchestrated system of distributed nodes running an application, the orchestrated system comprising: a first node executing a first module with a first output; and a second node executing a second module, the second module using the first output as an input, and providing a second output to a third module executing on a third node; wherein, in response to detection of a failure of the second node, the first node and the third node are configured to coordinate to determine a replacement node for redeploying the second module.

In Example 2, the subject matter of Example 1 includes, wherein the replacement node is a redundant node preconfigured to receive the first output and operate the second module.

In Example 3, the subject matter of Example 2 includes, wherein the redundant node is not connected to provide output to any nodes until after the redundant node is operating as the replacement node.

In Example 4, the subject matter of Examples 2-3 includes, wherein the second node is configured to periodically send parameters and state information about the second module to the redundant node.

In Example 5, the subject matter of Examples 2-4 includes, wherein in response to the redundant node failing, a second redundant node is designated as the replacement node.

In Example 6, the subject matter of Examples 1-5 includes, wherein the first node is configured to save a redundant state of the second module when the first output is generated.

In Example 7, the subject matter of Examples 1-6 includes, wherein when coordinating, the first node and the third node are configured to determine a set of nodes connected to the second node.

In Example 8, the subject matter of Examples 1-7 includes, wherein the replacement node is configured to connect to the first node to receive output from the first module and to connect to the third node to provide output from the second module to the third module.

In Example 9, the subject matter of Examples 1-8 includes, wherein the configuration of the first, second, and third modules on the first, second, and third nodes is initially generated by an orchestration server, and wherein the orchestration server is configured to be disconnected from the first node, the second node, and the third node.

In Example 10, the subject matter of Examples 1-9 includes, wherein the second node is implemented on a virtual machine and wherein the second module is instantiated in the replacement node based on an image of the second node on the virtual machine.

In Example 11, the subject matter of Examples 1-10 includes, wherein the first node is selected as a leader node using a leader-election algorithm.

Example 12 is a method of running an application using distributed nodes of an orchestrated system, the method comprising: executing a first module on a first node, the first module having a first output; executing a second module on a second node, the second module using the first output as an input; providing a second output from the second module to a third module executing on a third node; and in response to detection of a failure of the second node, determining a replacement node for redeploying the second module by coordinating between the first node and the third node.

In Example 13, the subject matter of Example 12 includes, wherein determining the replacement node includes identifying a redundant node preconfigured to receive the first output and operate the second module.

In Example 14, the subject matter of Example 13 includes, wherein the redundant node is not connected to provide output to any nodes until after the redundant node is operating as the replacement node.

In Example 15, the subject matter of Examples 13-14 includes, periodically sending parameters and state information about the second module from the second node to the redundant node.

In Example 16, the subject matter of Examples 13-15 includes, wherein in response to the redundant node failing, designating a second redundant node as the replacement node.

In Example 17, the subject matter of Examples 12-16 includes, at the first node, saving a redundant state of the second module when the first output is generated.

In Example 18, the subject matter of Examples 12-17 includes, wherein determining the replacement node includes determining a set of nodes connected to the second node.

In Example 19, the subject matter of Examples 16-18 includes, connecting the replacement node to the first node to receive output from the first module and connecting the replacement node to the third node to provide output from the second module to the third module.

In Example 20, the subject matter of Examples 12-19 includes, initially generating a configuration of the first, second, and third modules on the first, second, and third nodes using an orchestration server, and further comprising disconnecting the orchestration server from the first node, the second node, and the third node before the second node fails.

In Example 21, the subject matter of Examples 12-20 includes, implementing the second node on a virtual machine and further comprising instantiating the second module in the replacement node based on an image of the second node on the virtual machine.

In Example 22, the subject matter of Example undefined includes, selecting the first node as a leader node using a leader-election algorithm.

Example 23 is at least one machine-readable medium including instructions that, when executed by processing circuitry, cause the processing circuitry to perform operations to implement of any of Examples 1-22.

Example 24 is an apparatus comprising means to implement of any of Examples 1-22.

Example 25 is a system to implement of any of Examples 1-22.

Example 26 is a method to implement of any of Examples 1-22.

Example 27 is a software defined industrial system, comprising respective devices and respective circuitry in the respective devices, with the respective circuitry configured to perform the operations of any of operations of Examples 1-22.

Example 28 is an apparatus, comprising circuitry configured to perform the operations of any of the operations of Examples 1-22.

In Example 29, the subject matter of Example 28 includes, wherein the apparatus is a gateway enabling connection to adapted plurality of field devices, other device networks, or other network deployments.

In Example 30, the subject matter of Examples 28-29 includes, wherein the apparatus is a device operably coupled to at least one sensor and at least one actuator.

In Example 31, the subject matter of Examples 28-30 includes, wherein the apparatus is an Edge Control Node device adapted for connection to a plurality of field devices.

In Example 32, the subject matter of Examples 28-31 includes, wherein the apparatus is an Intelligent I/O Controller device adapted for connection to a plurality of field devices.

In Example 33, the subject matter of Examples 28-32 includes, wherein the apparatus is a Basic I/O Controller device adapted for connection to a plurality of field devices.

In Example 34, the subject matter of Examples 28-33 includes, wherein the apparatus is a control server computing system adapted for connection to a plurality of networked systems.

In Example 35, the subject matter of Examples 28-34 includes, wherein the apparatus is a control processing node computing system adapted for connection to a plurality of networked systems.

Example 36 is a networked system, comprising respective devices connected within a fog or cloud network topology, the respective devices comprising circuitry configured to perform the operations of any of Examples 1-22.

In Example 37, the subject matter of Example 36 includes, wherein the respective devices are connected via a real-time service bus.

In Example 38, the subject matter of Examples 36-37 includes, wherein the network topology includes controller, storage, and compute functionality for the software defined industrial system via a redundant pair of hosts.

In Example 39, the subject matter of Examples 36-38 includes, wherein the network topology includes controller, storage, and compute functionalities for the software defined industrial system via separate physical hosts. 

What is claimed is:
 1. An orchestrated system of distributed nodes running an application, the orchestrated system comprising: a managing node executing a first software component with a first output; and a backup node executing a second software component, the second software component using the first output as an input, and providing a second output to a third software component executing on a dependent node; wherein, in response to detection of a failure of the managing node, the backup node is configured to bypass the managing node by using input state information stored at the backup node and output state information stored at the backup node to run the first software component at the backup node.
 2. The orchestrated system of claim 1, wherein the failure of the managing node is an error in the first output.
 3. The orchestrated system of claim 1, wherein the backup node includes a redundant first software component preconfigured to replace the managing node.
 4. The orchestrated system of claim 3, wherein the redundant first software component is virtualized.
 5. The orchestrated system of claim 3, wherein the backup node runs a virtualization of the managing node, and wherein the redundant first software component is run in the virtualization of the backup node.
 6. The orchestrated system of claim 1, wherein the managing node is further configured to send parameters and state information about the first software component to the backup node before the failure.
 7. The orchestrated system of claim 1, wherein in response to the managing node failing, a redundant node is designated to replace the managing node.
 8. The orchestrated system of claim 1, wherein the backup node is configured to save a redundant state of the first software component when the first output is generated.
 9. The orchestrated system of claim 1, wherein the backup node is configured to determine a set of nodes connected to the managing node.
 10. The orchestrated system of claim 1, wherein the managing node is selected as a leader node using a leader-election algorithm.
 11. The orchestrated system of claim 1, wherein at least one of the managing, backup, or dependent nodes is run as a virtual node.
 12. At least one non-transitory machine readable medium including instructions for orchestrating a system of distributed nodes running an application, which when executed by processing circuitry, cause the processing circuitry to: execute a first software component with a first output at a managing node; execute a second software component at a backup node, the second software component to use the first output as an input; provide a second output, generated using the second software component, to a third software component executing on a dependent node; in response to detection of a failure of the managing node, bypass the managing node using input state information stored at the backup node and output state information stored at the backup node; and run the first software component at the backup node using the input and output state information stored at the backup node.
 13. The at least one machine readable medium of claim 12, wherein the failure of the managing node is an error in the first output.
 14. The at least one machine readable medium of claim 12, wherein the backup node includes a redundant first software component preconfigured to replace the managing node.
 15. The at least one machine readable medium of claim 14, wherein the redundant first software component is virtualized.
 16. The at least one machine readable medium of claim 14, wherein the backup node runs a virtualization of the managing node, and wherein the redundant first software component is run in the virtualization of the backup node.
 17. The at least one machine readable medium of claim 12, wherein the managing node is further configured to send parameters and state information about the first software component to the backup node before the failure.
 18. The at least one machine readable medium of claim 12, wherein in response to the dependent node failing, a redundant node is designated to replace the dependent node.
 19. The at least one machine readable medium of claim 12, wherein the backup node is configured to save a redundant state of the first software component when the first output is generated.
 20. The at least one machine readable medium of claim 12, wherein the backup node is further to determine a set of nodes connected to the second managing node.
 21. The at least one machine readable medium of claim 12, wherein the managing node is selected as a leader node using a leader-election algorithm.
 22. The at least one machine readable medium of claim 12, wherein at least one of the managing, backup, or dependent nodes is run as a virtual node.
 23. A method of running an application using distributed nodes of an orchestrated system, the method comprising: executing a first software component on a managing node, the first software component having a first output; executing a second software component on a backup node, the second software component using the first output as an input; providing a second output from the second software component to a third software component executing on a dependent node; in response to detection of a failure of the managing node, bypassing the managing node using input state information stored at the backup node and output state information stored at the backup node; and running the first software component at the backup node using the input and output state information stored at the backup node. 